About PhilipDAth

PhilipDAth

I would try a hardware reset, then failing that open a support case. Sounds like a hardware failure.

PhilipDAth

What everyone is saying is correct - the old traditional SSL native inspection future was removed - because there was a better solution. Cisco Meraki and Cisco Umbrella natively integrate together. In fact, the integration is even across multiple product families (MX and MR). https://documentation.meraki.com/MR/Other_Topics/Automatically_Integrating_Cisco_Umbrella_with_Meraki_Networks And then this evolved even a step further, and (especially for MX) the current iteration is now: https://documentation.meraki.com/CiscoPlusSecureConnect Basically you buy your MX and a "Foundations Essentials" licence. You can read more about the licence options here: https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now-_Sites/Cisco__Secure_Connect_Foundation_Meraki_SD-WAN_Integration So traditional SSL inspection - no. Modern SSL inspection - yes. If you are in Greenfields, I would jump directly to Foundation Essentials.

PhilipDAth

I could be wrong here - but I think only devices with the third scanning radio have this functionality. No MX has this, and neither do any of the entry-level MRs (like an MR28). I'm unsure if the "motel" series (like the MR36H) has this either. I could be wrong. Not tested.

PhilipDAth

This is deliberate containerization. It prevents "personal" apps and data from accessing "work" apps and data, and vice versa.

PhilipDAth

I can tell you exactly what this problem is. The WiFi power saving settings on the notebook. Not all notebooks expose the WiFi power saving settings via the GUI - so you may need to update the settings via the CLI (see below). The notebook with low latency will use CAM (constantly awake mode). With PSM mode (power saving mode, it also goes by other names), the WiFi NIC powers down for a set period of ms, then powers up and asks the AP for all buffered packets, and then powers down again. This reduces power consumption but increases latency. Run these two commands, reboot, and it should be fixed. powercfg /SETDCVALUEINDEX SCHEME_CURRENT 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0 powercfg /SETACVALUEINDEX SCHEME_CURRENT 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0

PhilipDAth

Specifically, this happens when you choose to use availability zones during deployment. You have to choose a zone of "none" to be able to use a NSG.

PhilipDAth

Maybe there is a wider issue at play - a bug. It sounds like it might be expiring the DNS results to quickly.

PhilipDAth

Yes, because he has been tagged.

PhilipDAth

Perhaps @BlakeRichardson might know.

PhilipDAth

The Cisco Meraki github has a sample program for doing firewall control. This example includes a "print" command which simply prints out all the firewall rules. https://github.com/meraki/automation-scripts/tree/master/mx_firewall_control

PhilipDAth

>Since I had two vMX for each org, I was told to deploy first in AZ1 and second in AZ2 for high availability. if I select NONE If you found it unreliable and intermittently had to restart the VMXs to get AutoVPN going again - would you call that compromised HA? Because that is what you'll experience if you use availability zones. Actually, since you have two VMX for each org the static route approach is more complicated. You will have to use this approach: https://documentation.meraki.com/MX/Other_Topics/Deploying_Highly_Available_vMX_in_Azure What this does is monitor each VMX and updates the static routes in Azure should one fail. Note that the Meraki instructions and the Azure instructions both contain serious grevious errors, and it is quite difficult getting this approach working if you have not done it before (you need to be able to figure out, correct and work through the documentation errors). You'll need a supernet static route in Azure pointing to a VMX from each org for the branches that sit behind that VMX. This is where you add the subnets located in Azure in the VMX (you'll need to do this on all VMXs). You'll also need to add routes here for the branches sitting in the other org. You are much better off configuring the BGP approach: https://documentation.meraki.com/MX/Deployment_Guides/vMX_and_Azure_Route_Server So be warned. This is doable, but it is going to be labour-intensive, complex, and it is going to need a good head when running into documentation errors and figuring out what the correct approach is.

PhilipDAth

Twilio is not reliable to use with International numbers. I typically find it only works in the US. I'm surprised it is working in Germany at all. It doesn't work at all for numbers in my part of the world. As a result, I never use SMS authentication for guest access.

PhilipDAth

Does the SSID have 2.4Ghz and 5Ghz enabled, and are they using the 2.4Ghz channel when they have the issue? Have you checked that you are all associated with the same AP? Perhaps they are using an AP much further away. try checking out: http://my.meraki.com/ Are you all connected to the same SSID, on the same band, and have similar signal strengths? I suspect you'll find something not the same.

PhilipDAth

>would it cache all the IPs returned by that query That is my understanding of how the MX works.

PhilipDAth

>This is by the way (almost) exactly how ASA Negative. The MX intercepts DNS queries to learn the IP address of FQDNs. ASA uses a scheduler and pre-emptively looks up the DNS entries used in every ACL, even if they are not used.

PhilipDAth

Yes, I run into this problem all the time. Typically you end up having to get a list of all the IP addresses that can be used for that service (which can be a lot), make a group up, and allow those.

PhilipDAth

I think it would be good to cover off the below tabs and for troubleshooting roaming.

PhilipDAth

This approach will crash and burn. Also note that you need to install the VMX in passthorugh mode in Azure for your use case. If it was not in passthrough mode when you deployed it you'll need to delete and re-deploy (the mode can not be changed post deployment). Also make sure you select "none" for availability zones when deploying to get a public IP address that is allowed to accept inbound traffic (if you select an availability zone all inbound traffic is blocked and you can not change this without deleting and re-deploying). You can make this work without BGP or IPSec by simply using static routes in Azure, and defining local subnets on the VMX (which say what to route to Azure on the Meraki side).

PhilipDAth

Also note that the "free count" that the API returns fails to take into account DHCP reservations. So it is very possible to have a "freeCount" and to have no DHCP addresses available. You can test this easily by creating a DHCP scope, and then reserving the whole thing.

PhilipDAth

Does your Synology NAS need to be connected to multiple VLANs? It would be simpler to have it in a single VLAN, and configure the port that it plugs into on the network as an access port.

PhilipDAth

Personally, I am not going to sell any Catalyst switch running in Meraki managed mode for a long time. I am happy to sell a 9300 switch running Catalyst software and onboard it into the Meraki Dashboard, and run it in Meraki monitored mode. This is because if the Meraki monitoring breaks, it won't affect the operation of the network. I have three Catalyst 9300s enrolled in the Meraki Dashboard so far, running in monitoring mode. Of those 3, one has stopped working (shows as offline in the Meraki dashboard). Meraki support has told me I need to re-enrol it again, which I will do when I am bored.

PhilipDAth

The change log mentioned by @alemabrahao will give the most precise details of what happened.

PhilipDAth

I've only had an issue when the system ran out of DHCP addresses. You could try turning off DHCP, and then turning it back on again. This should hopefully reset the DHCP sub-system. You could try reducing the DHCP lease time in case it is a starvation issue.

PhilipDAth

Oh @AmyReyes I hope you enjoy this transition in your life.

PhilipDAth

I have used "unique client identifier" a lot without issue.

PhilipDAth

Philip D'Ath

Community Record

Badges